Skip to main content
West Virginia University Office of Human Research Protections
WVU Research Office

WVU OHRP HIPAA Privacy Requirements

Data Classifications

Data used for conducting research is categorized according to institutional policy and regulatory policy.  Research data containing identifiers ALWAYS requires a higher level of protection.  Submit a Research Data Protection Form PRIOR to submitting a protocol to ensure the risk category of the data is accurate, an approved protection plan is selected and software used for collection or transmission is approved.

LIST OF PHI/PII IDENTIFIERS 

HIGH RISK 
Sensitive Data - A University classification that includes, protected health information (HIPAA PHI), and some personally identifiable information (PII), financial information, controlled unclassified information, export-controlled data, and confidential business information/trade secrets protected by contractual agreement.  Sensitive data presents the most risk and has more stringent protection requirements for storage, access, and the software used for collection and transmission.

MEDIUM RISK
Confidential Data - A University classification that includes personally identifiable information considered to be research PII.  Confidential data has less stringent protection requirements.  Anonymized and coded data are included in this category as there is a risk of re-identification of the individual. 

LOW RISK
Data collected for research purposes that is de-identified or anonymous.  This data can never be used to identify an individual as it was collected without identifiers.

NOTES:
  • Data from WVU Medicine medial records always requires a HIPAA Waiver of Authorization to review the information.
  • WVU non covered entities (NCE) using data from a WVU Medicine Medical record must comply with HIPAA and the data must be stored at an approved storage location in WVU HSC.
  • Researchers conducting research in a WVU Covered Entity must comply with HIPAA even if the data source is NOT a WVU Medicine medical record or from a health care event. i.e. a survey collecting information about a condition, etc.
  • Research PII applies to research conducted under the auspices of WVU.
  • Data from WVU Medicine Enterprise Analytics must be stored according to WVU Medicine IT policy.